Bug 750853 – Null pointer crash in ms-excel-util.c:758 on a fuzzed xlsx file

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 750853 - Null pointer crash in ms-excel-util.c:758 on a fuzzed xlsx file


Summary:	Null pointer crash in ms-excel-util.c:758 on a fuzzed xlsx file


Status:	RESOLVED FIXED

Product:	Gnumeric
Classification:	Applications
Component:	import/export MS Excel (tm)
Version:	git master
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Jody Goldberg
QA Contact:	Jody Goldberg

URL:	http://jutaky.com/fuzzing/gnumeric_ca...
Whiteboard:

Depends on:
Blocks:

Reported:	2015-06-12 14:11 UTC by jutaky
Modified:	2015-06-12 17:58 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description jutaky 2015-06-12 14:11:19 UTC

Null pointer crash in ms-excel-util.c:758 on a fuzzed xlsx file

Git versions of glib, goffice, gnumeric, libgsf and libxml2.

Test case: http://jutaky.com/fuzzing/gnumeric_case_4096_1607.xlsx

$ ssconvert gnumeric_case_4096_1607.xlsx /tmp/out.gnumeric

==14545==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f4e122bdf45 bp 0x7ffdb1730db0 sp 0x7ffdb1730a60 T0)
    #0 0x7f4e122bdf44 in xls_header_footer_import gnumeric/gnumeric/plugins/excel/ms-excel-util.c:758:10
    #1 0x7f4e125f6dbc in xlsx_CT_oddheader_end gnumeric/gnumeric/plugins/excel/xlsx-read.c:2005:2
    #2 0x7f4e33f76b81 in gsf_xml_in_end_element gnumeric/libgsf/gsf/gsf-libxml.c:863:3
    #3 0x7f4e32f40856 in xmlParseEndTag1 gnumeric/libxml2/parser.c:8747:9
    #4 0x7f4e32f4cd3a in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10191:2
    #5 0x7f4e32f47bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #6 0x7f4e32f4c039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #7 0x7f4e32f47bd3 in xmlParseContent__internal_alias gnumeric/libxml2/parser.c:9990:6
    #8 0x7f4e32f4c039 in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10163:5
    #9 0x7f4e32f70684 in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10849:2
    #10 0x7f4e33f61c63 in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338:2
    #11 0x7f4e125aacd8 in xlsx_parse_stream gnumeric/gnumeric/plugins/excel/xlsx-read.c:358:13
    #12 0x7f4e125b1bdf in xlsx_wb_end gnumeric/gnumeric/plugins/excel/xlsx-read.c:3996:3
    #13 0x7f4e33f76b81 in gsf_xml_in_end_element gnumeric/libgsf/gsf/gsf-libxml.c:863:3
    #14 0x7f4e32f40856 in xmlParseEndTag1 gnumeric/libxml2/parser.c:8747:9
    #15 0x7f4e32f4cd3a in xmlParseElement__internal_alias gnumeric/libxml2/parser.c:10191:2
    #16 0x7f4e32f70684 in xmlParseDocument__internal_alias gnumeric/libxml2/parser.c:10849:2
    #17 0x7f4e33f61c63 in gsf_xml_in_doc_parse gnumeric/libgsf/gsf/gsf-libxml.c:1338:2
    #18 0x7f4e125aacd8 in xlsx_parse_stream gnumeric/gnumeric/plugins/excel/xlsx-read.c:358:13
    #19 0x7f4e125a9652 in xlsx_file_open gnumeric/gnumeric/plugins/excel/xlsx-read.c:5153:4
    #20 0x7f4e34b35c80 in go_plugin_loader_module_func_file_open gnumeric/goffice/goffice/app/go-plugin-loader-module.c:282:3
    #21 0x7f4e34b49804 in go_plugin_file_opener_open gnumeric/goffice/goffice/app/go-plugin-service.c:685:2
    #22 0x7f4e34b57018 in go_file_opener_open gnumeric/goffice/goffice/app/file.c:417:2
    #23 0x7f4e364ddf2a in workbook_view_new_from_input gnumeric/gnumeric/src/workbook-view.c:1278:3
    #24 0x7f4e364deb20 in workbook_view_new_from_uri gnumeric/gnumeric/src/workbook-view.c:1337:9
    #25 0x4e0f21 in convert gnumeric/gnumeric/src/ssconvert.c:715:9
    #26 0x4decce in main gnumeric/gnumeric/src/ssconvert.c:903:9
    #27 0x7f4e2ef6c78f in __libc_start_main (/usr/lib/libc.so.6+0x2078f)
    #28 0x437b98 in _start (apps/bin/ssconvert+0x437b98)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV gnumeric/gnumeric/plugins/excel/ms-excel-util.c:758 xls_header_footer_import

--
Juha Kylmänen

Comment 1 Morten Welinder 2015-06-12 17:58:01 UTC

This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.